OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] Attack Motivations - adds to current list

Jerome hits the nail on the head, no one list will please everyone.  We had that in mind when we (the Threat Agent Analysis team @ Intel) sat down to develop our list of motivations.  We spent nearly a year researching prior art, including many of the lists mentioned here, trying to find the sweet spot: enough but not too much, coverage for every condition but not an endless list.  For us, the list we provided has worked very well and we have yet to find an instance where it did not cover what was needed, and it has resonated well both within and outside the security teams.  There will probably be some individual cases not included, but we recognize a list of manageable size will probably have outliers.


For example, Bret’s suggestions easily fit into the current taxonomy:


1.            amusement -> Personal Satisfaction

2.            advantage (competitive, political, economic) -> Organizational Gain or Personal Gain, depending on the actor

3.            anarchy -> Dominance





From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Monday, August 08, 2016 1:34 AM
To: Patrick Maroney <Pmaroney@specere.org>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; cti@lists.oasis-open.org
Subject: Re: [cti] Attack Motivations


I concur strongly

Some common taxonomies and enumerations were captured here


My experience of developing softwares (for 15+ years) using enumerations in combo lists, etc. in a domain like cybersecurity let me think here that exhaustive "cover them all and please everybody" enumerations can't be found. 

An approach using a hierarchical categorization/classification (I.e. Multi steps for 1) select a general category - mandatory 2) select a more detailed category between the ones of 1) - optional) helps ensuring a minimum of coherence without "giving headaches" to those who hate (being specific) spending more than 5s finding The value in a list.

E.g.: views in CWE, CAPEC

On Sunday, 7 August 2016, Patrick Maroney <Pmaroney@specere.org> wrote:

I know we are on a tight timelime and want to close on these enumerations.  However, I want to add a strategically focused comment here: The overarching point is to advocate for common adoption of taxonomies across standards (formal and de facto).  By taking the time to identify and adopt "best of breed" taxonomies, we can then srategically do outreach and advocate for homogenization and drive convergence.  So presuming we will always have a variety of CTI schemas and ontologies (e.g., VERIS, OpenIOC, CIF), the convergence and adoption of shared Taxonomies will empower easier transformations between different formats and internal data representations.


If we could get all CTI TC members to submit their existing taxonomies for the categories in question, maybe we could quickly reach concurrence and homogenization.  Thoughts?


 I know I've seen some very good Motivation Taxonomies with good descriptions.  Have not found "the" one yet...@Jerome Athias: Your thoughts?


Alternatively, here's some of the better ones I've found today. 



(1) The IBM X-Force taxonomy



 (We would have to normalize their "Outrage Trolls" Class).  



(2) VERIS Taxonomy



NA: Not Applicable (unintentional action)

Espionage: Espionage or competitive advantage

Fear: Fear or duress

Financial: Financial or personal gain

Fun: Fun, curiosity, or pride

Grudge: Grudge or personal offense

Ideology: Ideology or protest

Convenience: Convenience of expediency

Unknown: Unknown

Other: Other




Patrick Maroney
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org


(4) NIST


Couldn't find one but believe a taxonomy exists

On Sun, Aug 7, 2016 at 4:13 PM -0400, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

This Taxonomy did come from an existing well vetted solution. aka the Intel Threat Agent work.  But given that work applies to general threat actors, we are trying I tailor it more specifically to the cyber space.


The reason I am looking to add a few values is I have been reviewing every taxonomy I can find and make sure our terms and definitions cover everything that cerebrally exists.  



Sent from my Commodore 64

On Aug 7, 2016, at 12:42 PM, Patrick Maroney <Pmaroney@Specere.org> wrote:

.02:  Like Sophistication, we should directly adopt  an existing, well vetted, Taxonomy.  


@Patrick/ISightPartners or @EclecticIQ:  Can you provide reference?

Patrick Maroney
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org


On Sun, Aug 7, 2016 at 12:15 AM -0400, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:



Intrusion Sets and Threat Actors both use the Attack Motivations vocabulary.  Right now we have the following terms in that vocab:


  1. accidental
  2. coercion
  3. dominance
  4. ideology
  5. notoriety
  6. organizational-gain
  7. personal-gain
  8. personal-satisfaction
  9. revenge
  10. unpredictable



I propose that we add the following thee terms to this list, I missed them when I was putting this list together.  


  1. amusement
  2. advantage (competitive, political, economic)
  3. anarchy











Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]